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1, INTRODUCTION 

As computer networking and the Internet are becoming more and more demanded in all over the 
world, computers and local area networks became more vulnerable to attacks as long as it is very common 
for them to be connected to the Internet [1]. 

For this reason, the need for enhanced network security system with high performance is being 
increased. A firewall is a network security system that prevents unauthorized access from passing through the 
network. It works as a barrier placed between the local network and the outside world to regulate the flow of 
traffic [2]. The main function of the firewall is to examine every incoming and outgoing packet passing 
through it and decides whether to accept or deny the packet depending on its designed rules [3]. 

A firewall can be a software application or a hardware device running on a computer or a network 
to block any unauthorized access while permitting the authorized communication [4]. As compared with 
software firewalls, a hardware firewall is higher speed, more secure and more convenient for a large number 
of user’s networks. But however, it is more expensive, harder to setup and configures. Editing and 
maintaining the rule-set in traditional hardware firewalls become a problem when firewall rules are becoming 
larger [5,6]. 

This paper proposed a firewall system that incorporates the best features by adopting the good 
points of traditional hardware and software firewalls while minimizing the negative points of each. The 
implementation of the designed system was based on FPGA technology. 
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2. FPGA-based Proposed Firewall System 

The complexity and processing time of the firewalls were initiated to increase when the size of its 
rule set is being increased. In this paper, the rules of the designed NetFPGA-based firewall system are very 
flexible and can be modified easily by any user at any time. An FPGA-based firewall can reduce the cost and 
complexity that required to secure a large private network. The design of this firewall takes on the best 
features of traditional hardware and software firewalls while minimizing or avoiding the negative aspects of 
each. 


2.1 FPGA & NetFPGA 

Because of an FPGA’s ability to quickly map and re-map parallel hardware designs onto the same 
device, it's an excellent design platform [7]. An FPGA is a semiconductor device that its function can be 
defined after manufacturing. FPGAs are efficient choices in applications where high-performance computing 
is required such as financial, medical imaging, etc. An FPGA contains a regular structure of the logic cell and 
interconnections which are under the designer’s complete control, which means that the designer can design, 
program and make changes to the designed circuit at any time [8,9]. A NetFPGA is an FPGA-based open 
platform. NetFPGAs enable designers and researchers to build high-speed, hardware-accelerated networking 
systems. They are line-rate, flexible and open source hardware and software platforms used for research, 
teaching, and networking components development. The NetFPGA environment includes boards, reference 
projects, and software tools. NetFPGA board is a hardware accelerator built with FPGA driving 1/10/100 
Gb/s network interfaces. There are four NetFPGA boards : NetFPGA-1G, NetFPGA-10G , NetFPGA-CML, 
& NetFPGA-SUME [10-12]. 

This work deals with the NetFPGA-1G-CML (shown in Figure 1) which enables rapid prototyping 
of networking devices. Its FPGA hardware is a Xilinx Kintex-7 325T. 





Figure 1. NetFPGA-1-CML boar 


The designed firewall is based on modifying the NetFPGA-1G-CML Reference Router Project. The 
implemented firewall system is a hardware and software co-design in which main software design was built 
using C programming language while the main hardware blocks were built using Verilog HDL. The whole 
design has been implemented and evaluated on NetFPGA platform with Xilinx Kintex 7 - XC7K325T on 
NetFPGA-1G-CML board. Some operations of the firewall are processed in hardware while others are 
processed in software. 


2.1.1 NetFPGA Reference Router 

One of the reference projects of NetFPGA platform is an IPv4 router which was used in this work. 
The NetFPGA reference router forwards packets from all four 1Gbps interfaces on the card simultaneously. 
The routing information and interface addresses are configured from the host at the runtime. The project 
includes the software packages and hardware design which had been designed based on Verilog HDL. The 
main software component of the NetFPGA reference router is called SCONE (software component of the 
NetFPGA). It is a user-level router that performs IPv4 forwarding and handles Address Resolution Protocol 
(ARP) and various Internet Control Message Protocol (ICMP) packets. SCONE had been designed so as to 
write a set of rules using C programming language. SCONE mirrors a copy of its MAC addresses, IP 
addresses, routing table, and ARP table to the NetFPGA card [13, 14]. 
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2.2 Hardware Designed Firewall 


The designed hardware firewall system performs the operations described in the flowchart shown in 
Figure 2. 
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Figure 2. The designed firewall system operation 


The function of the firewall module is to check the incoming packet destination IP address and 
compare it with the rules in the firewall table. If a match is found, a firewall_hit signal occurs, and the packet 
is sent to the software part of the firewall system. The latter checks other packet’s header information and 
decide whether to accept or deny the packet according to the software rules. If no match is found, the packet 
is passed to the next modules for further processing. 

The packet matching is performed using content addressable memory (CAM) of FPGA’s on-chip 
which enables high-speed data searches [15]. Using Integrated Synthesis Environment (ISE) design suite, the 
Verilog source codes of the designed firewall system were synthesized. A schematic viewer for the firewall 
designed module is shown in Figure 3. 
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Figure 3. Designed firewall module structure 
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2.3 Software Designed Firewall 

The firewall software part was designed using C programming language. It is based on the SCONE 
NetFPGA. A set of firewall rules is designed and inserted into this model. These rules are very flexible and 
can be modified easily by any user at any time. 

An incoming packet arrives at this software part if its destination IP address matches an entry in the 
hardware firewall table. The software part detects the header information of the incoming packet. Further, it 
can display information of all packets while the software is running. Then the part compares the detected 
packet information with the rule and allows the packet to pass through the NetFPGA firewall and send it to 
the destination or drop it depending on the result from matching operation. In the software part, Java 
graphical user interface (GUI) and command line interpreter are also maintained for displaying, inserting and 
updating the firewall table, routing table, ARP cache. 


3. Results and Analysis 
For testing the NetFPGA-based prototype firewall system, the network shown in Figure 4 was 
configured. 
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PC 2 
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Figure 4. Networking test environment 


The NetFPGA-1G-CML four Ethernet ports are (NFO, NF1, NF2, and NF3). First, IP addresses are 
assigned to the NetFPGA ports from the software part. Then, the 4 PCs are connected to the ports. PC1 with 
IP address 192.168.0.8 is connected to NFO port with IP address 192.168.0.1. PC2 with IP address 
192.168.10.8 is connected to NF1 port with IP address 192.168.10.1. PC3 with IP address 192.168.40.8 is 
connected to NF2 with IP address 192.168.40.1 while PC4 with IP address 192.168.60.8 is connected to NF3 
port with IP address 192.168.60.1. 

Firewall rules are written in the software firewall rule model. The IP addresses of the connected PCs 
are written onto the hardware part of the firewall by modifying the destination IP fields in the firewall table 
of the GUI. Examples of GUI output of the designed networks are shown in Figure 5 and Figure 6. The GUI 
of Figure 5 shows the general configuration of the firewall system which includes NetFPGA interface 
configuration, routing table, ARP cache, and firewall table while the GUI in Figure 6 shows the values of 
statistical variables which count the number of packets for different cases. 

The last counter value (the number of packets sent to the CPU due to match in the firewall table) is 
high because all the PC’s IP addresses are matched to the ones in the firewall table. This does not mean that 
all the packets will be dropped by the firewall because the packets are sent to the software firewall and then 
decided which packets should be passed or dropped. 
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Configuration | Statistics ' Details 


Firewall-Router Configuration 


Interface Configuration Load From File 


Port Number | MAC Address IP Address | 
0/00:4e:46:31:30:00 192.168.0.1 a 
1/00:4e:46:31:30:01 192.168.10.1 
2\00:4e:46:31:30:02 192.168.40.1 
3/00:4e:46:31:30:03 192.168.60.1 = 


Firewall Table Reset Entry 
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Routing Table Reset Entry 
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ARP Table Reset Entry 


Modified IP Address | Next Hop MAC Address 
LJ 0192.168.60.8 |d8:d3:85:13:0¢:57 
1192.168.40.8 d8:d3:85:13:6b:fe 
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Figure 5. An example of GUI output of firewall configuration 
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Figure 6. An example of GUI of statistics variables 


For throughput testing, PC3 in Figure 4 was configured as TCP server and PC1 as TCP client. Iperf 
network testing tool is used to measure system performance. The TCP bandwidth rate shown in Figure 7 
confirmed that the developed NetFPGA-based firewall can provide a throughput of more than 900Mbps. 
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JPerf 2.0,2 - Network performance measurement graphical tool x 
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Figure 7. TCP bandwidth rate 


3.1 Firewall Performance Test 

For evaluating the NetFPGA-based firewall system performance, the network shown in Figure 8 was 
also configured. To perform bi-directional data transfer between the computers connected to the NetFPGA, PC- 
A with IP address 192.168.0.8 is defined as FTP client! to PC-B FTP serverl and FTP server2 to PC-B client2. 
Furthermore, PC-B with IP address 192.168.40.8 is defined as FTP client2 to PC-A server2 and FTP server! for 
PC-A clientl. 


NFO 
192.168.0.1 192.168.40.1 





192.168.0.8 192.168.40.8 


NetFPGA Firewall 
FTP Client 1 NetFPGA NIC + Iptables FTP Server! 
FTP Server 2 FTP Client 2 


192.168,10.1 192.168.60.1 


Figure 8. Firewall performance test example 


For firewall performance comparison testing, the firewall package running on Linux (Iptables) is 
used. The first test was performed by programming the FPGA chip in NetFPGA board so as to function the 
firewall designed bitstream file; the NetFPGA works as NetFPGA firewall with its designed software and 
hardware parts. The second test was performed by programming the FPGA chip in NetFPGA board so as to 
function only a network interface card (NIC), using Ifconfig-commands in Linux to set the IP addresses to 
the NetFPGA ports. Linux Iptables was enabled, and firewall rules were added. In the second test, the 
NetKFPGA works as NIC to [ptables software firewall. Table | shows the results of latency and memory usage 
in the two firewall types. 
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Table 1. Latency and Memory Usage Comparison 
Firewall- 
type 
Linux- 
Iptables 
NetFPGA- 
Based 0.402 ms 23.31% 
Firewall 
Directly 
Connected 


Latency Memory Usage 


0.717 ms 27.26% 


0.381 ms --- 


Using FTP command line, different data size was transferring from PC-A to PC-B and from PC-B to 
PC-A. The bandwidth was also evaluated, and the results are shown in Table 2. 


Table 2. FTP File Transfer Bandwidth Rate Comparison 


Data Firewall-type Client 7 ee s 
ee 198.786 
Firewall PC_B 
NetFPGA- 
based 437.382 
2.2Mbytes : sea 
P 214.844 
Firewall 
NetFPGA- PC-A 
based 592.031 
Firewall 
+ ace 182.228 
Firewall PC-_B 
NetFPGA- 
based 259.750 
236Mbytes sien 
4 163.326 
Firewall 
NetFPGA- PC-A 
based 455.018 
Firewall 


The bandwidth rate comparison shown in Figure 9 was evaluated with 32 entries in the firewall rule 
for both the NetFPGA-based firewall and the Iptables-based firewall, 1.e. 32 destination IP addresses were 
inserted into the firewall table of the designed firewall. Furthermore, the same rules were inserted to the 
Iptables. In this test, the IP addresses of PC-A and PC-B did not match any entry in the firewall table for both 
cases. 
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Figure 9. Bandwidth Comparison between Iptables and NetFPGA Firewalls without Rule Match 
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Another test was performed by inserting the IP address of PC-B in the firewall table for both 
NetFPGA-based firewall and Iptables-based firewall. The bandwidth rate comparison for this test is shown in 
Figure 10. The firewall performance is in lower speed as compared with the evaluation shown in Figure 9 
because the packets had been sent to the software part of the firewall. 
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Figure 10. Bandwidth Comparison between Iptables and NetFPGA Firewalls with Rule Match 


4. CONCLUSION 

In order to provide higher network security, it is important to use an efficient firewall system which 
has little or no affecting overall network performance. Through this study and research experience, we can 
conclude that some traditional firewalls provide a higher level of security, but they may affect traffic loads 
and network throughput and latency since packets must be compared against complex firewall rule tables. 
Other firewalls, which may have less effect on network performance, cannot provide the same security level. 
For these reasons, this research focused on developing a new firewall system that can strongly protect 
networks and has a minimal effect on network performance. The developed firewall system is a hardware and 
software co-design. As comparing with Linux Iptables-based firewall, it was confirmed that the developed 
NetKPGA-based firewall can provide better performance. It can provide the double throughput of the Linux 
Iptables-based firewall. As a future work, it 1s expected to develop the hardware part performing all packet 
processing. The software part can also be developed to perform more complex operations such as examining 
and changing the actual contents of the packet rather than examining packet’s header information. If this 
work would succeed, a firewall with excellent performance will be realized 
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